/** * @license * Copyright Google Inc. All Rights Reserved. * * Use of this source code is governed by an MIT-style license that can be * found in the LICENSE file at https://angular.io/license */ import * as t from '@angular/core/testing/testing_internal'; import {browserDetection} from '@angular/platform-browser/testing/browser_util'; import {getDOM} from '../../src/dom/dom_adapter'; import {sanitizeHtml} from '../../src/security/html_sanitizer'; export function main() { t.describe('HTML sanitizer', () => { let originalLog: (msg: any) => any = null; let logMsgs: string[]; t.beforeEach(() => { logMsgs = []; originalLog = getDOM().log; // Monkey patch DOM.log. getDOM().log = (msg) => logMsgs.push(msg); }); t.afterEach(() => { getDOM().log = originalLog; }); t.it('serializes nested structures', () => { t.expect(sanitizeHtml('
a
bcdea
bcdeHello
World
Hello
World
Hello < World
')).toEqual('Hello < World
'); t.expect(sanitizeHtml('Hello < World
')).toEqual('Hello < World
'); t.expect(sanitizeHtml('Hello
')) .toEqual('Hello
'); // NB: quote encoded as ASCII ". }); t.describe('should strip dangerous elements', () => { let dangerousTags = [ 'frameset', 'form', 'param', 'object', 'embed', 'textarea', 'input', 'button', 'option', 'select', 'script', 'style', 'link', 'base', 'basefont' ]; for (let tag of dangerousTags) { t.it( `${tag}`, () => { t.expect(sanitizeHtml(`<${tag}>evil!${tag}>`)).toEqual('evil!'); }); } t.it(`swallows frame entirely`, () => { t.expect(sanitizeHtml(`evil!`)).not.toContain(''); }); }); t.describe('should strip dangerous attributes', () => { let dangerousAttrs = ['id', 'name', 'style']; for (let attr of dangerousAttrs) { t.it(`${attr}`, () => { t.expect(sanitizeHtml(`evil!`)).toEqual('evil!'); }); } }); if (browserDetection.isWebkit) { t.it('should prevent mXSS attacks', function() { t.expect(sanitizeHtml('CLICKME')) .toEqual('CLICKME'); }); } }); }